ISO 9001 requires top management to review the organization's quality management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. The review could be carried out at a separate meeting but this is not a requirement of the standard.
There are many ways in which Top Management can review the quality management system, such as receiving and reviewing a report generated by the management representative or other personnel, electronic communication, or as part of regular management meetings where issues such as budgets and targets are also discussed.
The management review is a process that should be conducted and audited utilizing the process approach. Organizations need to be able to demonstrate that they have evaluated the effectiveness of actions taken to address risks and opportunities during management review; consequently auditors will be able to obtain objective evidence on the use of this approach.
ISO 9001 specifies a number of inputs to the management review process and these topics need to be addressed; however, these are not the only subjects that can be included in a review. It is also acceptable not to address them individually or simultaneously but as part of an overall review of the business. Auditors should be aware that the inputs could be in many forms such as reports, trend charts and so on.
As outputs from the management review process, there should be evidence of decisions regarding:
• changes to the quality policy and objectives,
• plans and possible actions for improvements,
• change of resources,
• revised business plans,
• budgets.
The outputs may not be only related to improvements or changes, but could also include decisions on other important issues, such as plans to introduce new products. Documented information on management reviews is required, but the format of this is not specified; minutes of meetings are the most common type, but electronic records, statistical charts, presentations etc. could be acceptable types.
The management review process might also include elements of quality management system planning, where changes to processes and systems are being considered.
Where this is the case, the auditors should review whether or not the following points have been considered:
• Will changes to the management system, or the business as a whole, have an impact on other parts of the system or business?
• Are proposed changes evaluated before implementation?
• In preparing strategic plans, are issues such as those in clause 4 “Context of the organization” of the standard considered?
• Are the controls needed identified before the outsourcing of a process is begun?
The management review process should not be an exercise carried out solely to satisfy the requirements of the standard and the auditors; it should be an integral part of the organization’s business management process. An overall management review is a complex process carried out at various levels in the organization. It will always be a two-way process, generated by top management with inputs from all levels in the organization. These activities could vary from daily, weekly, monthly, organizational unit meetings to simple discussions or reports. Auditors should look for evidence that the inputs and outputs of the management review process are relevant to the organization’s size and complexity and that they are used to improve the business. Auditors should also consider how the organization’s management is structured and how the management review process is used within this structure.